Cloudflare and the Agentic Harness
By Ken Ivory , Customer Solutions Engineer
Agents Week 2026 didn’t just ship more AI products. It shipped the straps, buckles, and gates that turn an autonomous agent into something a security team can actually deploy against a production Cloudflare account. Here’s the harness, and what it feels like once you put it on.
A harness, not a leash
There’s a particular kind of nervousness that shows up the first time you watch an AI agent execute a PATCH request against your own infrastructure. The agent has read your DNS records, scanned your zones, found a misconfiguration, drafted the fix, and is waiting for you to type “yes.”
You realize, in that pause, that the conversation you’re about to have isn’t really about the bug. It’s about whether you trust the thing between the model and the API, the wiring that decided which calls were available, which credentials were used, whether anything was logged, and what happens if the model goes sideways.
That wiring is the agentic harness. And during Agents Week 2026, Cloudflare shipped, or finished shipping, almost every piece of it. The story across the week wasn’t “we built another agent.” It was: Cloudflare is wrapping your account in the harness that makes agents safe to use against it.
This post is a tour of that harness, organized around what it actually does.
What Cloudflare actually announced
The Agents Week recap groups the announcements into five pillars: compute, security, the agent toolbox, prototype-to-production, and the agentic web. That’s the right framing if you’re building agents. If you’re running a Cloudflare account and trying to survive the agent era, a different shape comes into focus. The same pieces stack into four straps.
Strap 1: Identity | Who is the agent, and what may it touch?
For the last decade, the unit of Cloudflare access has been the human and their API token. That model breaks the moment a coding agent at 2 AM is asking your account for permission to do something on your behalf. The agent isn’t you. It isn’t a user. It’s a non-human identity (NHI) acting on behalf of one, and you need to know which agent it is, who authorized it, and what it’s allowed to do, every time.
Agents Week shipped four things to make that tractable:
New scannable API token formats (cfk_, cfut_, cfat_) with checksums, so GitHub and other credential scanners can detect leaks and auto-revoke. Resource-scoped RBAC went GA across more products. New roles at account and zone scope (SSL/TLS Management, Security Center, Snippets, MCP Portals, and others).
A redesigned OAuth consent screen showing the application, the requested scopes, and the target accounts. A new Connected Applications page (/profile/access-management/authorization) lets you audit and revoke third-party access in one place.
RFC 9728 (OAuth 2.0 Protected Resource Metadata) baked into Cloudflare Access. Agents can authenticate against internal applications on behalf of users in one click. No more handing them a long-lived service account.
Resource-scoped permissions are enforced underneath a token surface that the agent never sees. The agent writes code against a TypeScript proxy; credentials never enter the model’s context.
The mental model Cloudflare’s own security team uses for this is simple: principal, credential, policy. Or, as their post phrases it, the traveler, the passport, and the visa. The traveler is who you are. The passport proves it. The visa says which rooms you’re allowed into. For most of the last decade, Cloudflare customers had passports (API tokens) and a coarse, account-wide visa. Now every layer of that is independently controllable.
Strap 2: Execution | Where the agent’s code actually runs
The naive way to give an agent power is to install an MCP client on your laptop, paste in your global API key, and let it rip. That works for demos. It is wildly unsafe for anything else: the agent’s code runs in the same trust domain as your shell, your SSH keys, and your password manager.
Cloudflare’s pitch is that the agent’s workspace should be a serverless primitive. Owned, audited, and kill-switchable by the platform, not a process on your laptop. Three Agents Week launches push this hard:
Persistent, isolated compute environments with a real shell, filesystem, and background processes. Agents get a “computer” that starts on demand and resumes where it left off. The kill switch lives at the platform.
A programmable, zero-trust egress proxy for every sandbox. Credentials are injected server-side on outbound requests. They’re never present in the code the agent wrote. Dynamic security policies on the egress path.
Secure private network access for users, nodes, and autonomous agents. Agents can reach private databases and internal APIs over WARP/Workers VPC with scoped access. No manual tunnels, no shared service accounts.
Stack those three together and you get the runtime version of the principal/credential/policy model. The agent’s process lives in a Sandbox. Its network traffic goes through an Outbound Worker that holds the real secrets. Its access to private services is brokered by Mesh against the user’s identity. The agent is fully autonomous and has, on paper, zero credentials.
Strap 3: Governance | Visibility, controls, and a back-pressure valve
You can have perfect identity and perfect isolation and still lose the building if you can’t see what’s happening. The governance strap is what gives a SecOps team a steering wheel and a brake.
The full Cloudflare-internal stack documented as a recipe: remote MCP servers built from a monorepo template, fronted by Cloudflare Access for auth, surfaced through MCP Server Portals for discovery and DLP, with AI Gateway sitting between MCP clients and the underlying LLM. Everything logged, everything policy-controllable.
Recommended by LinkedIn
An MCP server portal can now collapse dozens of upstream MCP servers into two tools (portal_codemode_search + portal_codemode_execute). In Cloudflare’s internal deployment, 52 tools across four servers went from ~9,400 tokens of context to ~600, a 94% reduction. The portal becomes the place where progressive disclosure, audit, and DLP all live.
DLP regex profiles for the JSON-RPC methods MCP traffic actually uses ("method":"tools/call", "method":"initialize", "method":"resources/read", etc.). Gateway can now see, log, or block an employee or workload talking to an unauthorized MCP server, even over an arbitrary HTTPS endpoint.
Every public MCP server is an HTTP endpoint. Cloudflare WAF’s AI Security for Apps can now inspect inbound MCP traffic for prompt injection, sensitive data leakage, and topic classification, the same way it inspects any other web API.
The thing to notice is that none of these are “AI products.” They’re networking products applied to a new shape of traffic. The harness reuses Cloudflare’s existing zero-trust and edge security plumbing rather than inventing a parallel stack.
Strap 4: Interface | the surface the human and the agent share
The last strap is the easiest to underrate. It’s about where the agent and the human meet, and how the human stays in the loop when something matters.
An in-dashboard agent that already serves ~18,000 daily users and ~250K tool calls per day across DNS, Workers, SSL/TLS, R2, Registrar, Cache, Tunnel, API Shield, and more. Crucially: every write goes through an elicitation gate. An explicit approval action in the UI before any code runs. Read operations are proxied; writes are blocked until you click. API keys never enter the generated code.
One consistent CLI across ~3,000 API operations, with Local Explorer for debugging. The same surface that agents call is the surface developers call.
A preview of the next-generation Agents SDK: from lightweight primitives to a “batteries-included” platform for agents that think, act, and persist. Durable Objects under the hood, with built-in scheduling and human-in-the-loop.
The agent toolbox
Agent Memory, AI Search, Browser Run (with Live View + Human in the Loop), Email for agents, voice, and a unified AI Platform inference layer across 14+ providers. The components an agent needs to do work once it’s safely strapped in.
The interface strap is where the harness becomes visible to the person actually using it. Agent Lee’s design choice, that the confirmation prompt before a write is not a UX courtesy, it’s the gate, is the whole point. The agent is powerful precisely because it can act; it is safe precisely because it cannot act without you.
The world the agent is acting on
Two more Agents Week launches don’t fit neatly into a strap, but they matter to the whole story:
- Agent Readiness Score: a site-level score from Radar that tells you how well your own site supports agents (and whether agents are likely to succeed against it).
- Redirects for AI Training: a toggle that redirects verified crawlers from deprecated URLs to canonical pages, so the web agents read isn’t out-of-date by definition.
Together with shared dictionary compression and the FL2 network performance work, they amount to: agents will be a meaningful share of Internet traffic, so we’re going to make sure the Internet talks to them properly.
What the harness feels like, in practice
So that’s the harness. Identity, execution, governance, interface. All four straps now exist in shippable, generally-available form. The fair question is whether it actually feels like a harness when you wear it, or just like more dashboards.
Before Agents Week wrapped, I sat down with Cloudflare’s AI Playground and the Cloudflare API MCP server, pointed it at my own enterprise account (two zones, six Workers, full Cloudflare employee posture), and told it: find what’s wrong, then fix what you can.
How the connection actually works
The Cloudflare API MCP server uses a technique called Codemode and this is the same technique that now powers MCP Portals and Agent Lee. Instead of exposing thousands of individual tool definitions to the model (which would consume over a million tokens), the model writes JavaScript against a typed representation of Cloudflare’s OpenAPI spec. The generated code runs in an isolated sandbox.
Try it yourself
- Open playground.ai.cloudflare.com.
- Connect to https://mcp.cloudflare.com/mcp.
- Authenticate with your Cloudflare account.
- Ask: “List all zones in my account. For each one, show the SSL/TLS settings.”
You’ll have your first finding inside 60 seconds.
For the full audit experience, create a scoped API token with Read on Account Settings, Audit Logs, Zone, Zone Settings, Zone WAF, Firewall Services, SSL/Certificates, and DNS, plus Edit on Zone Settings if you want to let the agent fix what it finds. Connect with Authorization: Bearer <token>. The difference between what the OAuth scopes can see and what a properly-scoped token reveals is the difference between a surface scan and a real audit.
Cloudflare’s MCP servers are open source: github.com/cloudflare/mcp-server-cloudflare. Find a bug, request a server, or file the schema issue I hit during my audit, they’re paying attention.
Building for the future is the harness
Rita Kozlov and Dane Knecht’s opening post for Agents Week framed it well: the cloud was built for one-app-serves-many-users, and agents are one-user-one-agent-one-task. The infrastructure has to change underneath. Workers and isolates were already the right primitive for that compute shift, and Cloudflare has been steadily filling in the security, identity, governance, and interface layers around them.
The phrase “agentic harness” isn’t Cloudflare’s, but it’s the right way to describe what they shipped. A harness lets a powerful thing work safely with humans. It doesn’t constrain the agent. It constrains the conditions under which the agent gets to act. Identity says who. Execution says where. Governance says what’s allowed and what’s logged. Interface says when the human needs to look up.
When my agent paused, mid-conversation, and asked permission to fix two real misconfigurations on my own account at 2:20 in the morning, that pause was the harness. It’s the difference between “an AI did something to my Cloudflare account” and “I asked an AI to do something to my Cloudflare account, and watched it do exactly that, with a paper trail.”.
The harness framing is spot on. During Agents Week 2026, you truly changed the game with the Agent-Ready framework by turning autonomy into something auditable and safe at the edge. Here at KusiAI in Spain, we took the new Scanner to the extreme (All Checks enabled) and engineered our architecture to successfully hit Level 5: Agent-Native (100% Bot Control & 100% Content). Enforcing boundaries at the infrastructure level works flawlessly. If the Product team is ever looking for a real-world Case Study on how to build Agent-Native infrastructure from scratch using these standards, our doors are open! Fantastic tool.
The "harness" framing is the right one. The conversation in most teams building agentic systems isn't "can the model do this" — it's "what can we safely let the agent do, and how do we enforce that boundary at the infrastructure level rather than hoping the prompt holds." The straps, buckles, gates metaphor maps to a real engineering problem: agents need scoped permissions, auditable action logs, and hard stops that don't rely on the model respecting an instruction. Shipping those as primitives rather than leaving teams to bolt them on per-project is exactly the right abstraction layer. Curious whether the harness is composable enough to work with third-party agent frameworks or whether it's primarily designed around Cloudflare's own tooling.
Did you lay off your own security team though?
The harness framing is exactly where production agent infrastructure is heading. If agents can act against live accounts at the edge, enforcement has to live close to execution too. Sub-600ms deterministic decisions, distributed with the same model, are what keep autonomy deployable without giving latency back.